Errors with Outlook and DirectAccess forced tunneling

Today’s topic we are going to cover a new Outlook error message I discovered today working with a DirectAccess client specially using forced tunneling. Earlier this week I helped get a client setup using DirectAccess and due to security reasons, they had to configure their DirectAccess clients using forced tunneling.  With this configuration, all traffic from the DA client is sent to the DA server which includes any Internet browsing.  In most configurations, I usually discourage using forced tunneling due to a number of extra factors that forced tunneling brings to the table.  Just for the record, you can enable or disable forced tunneling in Step 1 of the DirectAccess client configuration as shown below :

Forced Tunneling

Forced Tunneling

By default the box is not checked and we use split-tunneling for DirectAccess connections.

At my customer, they were required to use forced tunneling so we got them all setup and working. Once users tried to use Outlook though, they found that Outlook could not connect to Exchange across DirectAccess using forced tunneling. They were getting one of the following error messages in Outlook shown below :

The action cannot be completed. The connection to the Microsoft Exchange Server is unavailable. Your network adapter does not have a default gateway.

Your Microsoft Exchange Server is unavailable

Outlook cannot log on. Verify that you are connected to the network and are using the proper server and mailbox name. The connection to the Microsoft Exchange Server is unavailable. Your network adapter does not have a default gateway.

Cannot start Microsoft Office Outlook. Cannot open the Outlook window. The set of folders cannot be opened. The attempt to log on to Microsoft Exchange has failed.

After doing some research, it appears Outlook has it’s own check for a default gateway when you start Outlook. With forced tunneling in DirectAccess configured, it does modify the default network configuration of your DirectAccess clients and casuses this issue to occur. Luckily there is an easy workaround which involves adding a registry key specifically for Outlook. Depending on your version of Outlook on your DirectAccess client, you might have to set one of the following keys :

Outlook 2007
1. Click Start , click Run , type regedit in the Open box, and then click OK .
2. Locate and then click the following subkey:
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\RPC
3. On the Edit menu, point to New , and then click DWORD Value .
4. Type DefConnectOpts , and then press ENTER.
5. Right-click DefConnectOpts , and then click Modify .
6. In the Value data box, type 0 , and then click OK .
7. Exit Registry Editor.

Outlook 2010
1. Click Start , click Run , type regedit in the Open box, and then click OK .
2. Locate and then click the following subkey:
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\RPC
3. On the Edit menu, point to New , and then click DWORD Value .
4. Type DefConnectOpts , and then press ENTER.
5. Right-click DefConnectOpts , and then click Modify .
6. In the Value data box, type 0 , and then click OK .
7. Exit Registry Editor.

Outlook 2013
1. Click Start , click Run , type regedit in the Open box, and then click OK .
2. Locate and then click the following subkey:
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\RPC
3. On the Edit menu, point to New , and then click DWORD Value .
4. Type DefConnectOpts , and then press ENTER.
5. Right-click DefConnectOpts , and then click Modify .
6. In the Value data box, type 0 , and then click OK .
7. Exit Registry Editor.

Check and verify this fixes your issue on one of your forced tunneling DirectAccess clients and then you can easily push these registry values using a GPO. This is a good one to tuck away if you decide to run forced tunneling DirectAccess and have Outlook on your clients.

Tags: , , , , , , , , , , , , , , , , , , ,

Categories: Troubleshooting DirectAccess

9 Comments on “Errors with Outlook and DirectAccess forced tunneling”

  1. Paul
    November 14, 2013 at 08:09 #

    Thank you for this write-up. It helped me in resolving the same issue.

    Cheers!

  2. Mac
    December 4, 2013 at 17:09 #

    Wooohoooooooo Excellent.

  3. Vlad
    January 31, 2014 at 04:21 #

    Tried this solution without success. Seems like it is some problem with ipv4 to ipv6 translation. Could you do some more research?

    • January 31, 2014 at 14:13 #

      Hi Vlad,

      I’ve used this setting for quite a few clients using forced tunneling with Outlook and been sucessful each time. How are your Exchange servers setup? Are they behind a load balancer? Can the DirectAccess clients ping the CAS server name(s)?

      • Vlad
        February 11, 2014 at 04:06 #

        I’ve solved it. It turns out that DA server didn’t publish default gateway for the IPHTTPS interface.

        netsh int ipv6 set int IDX advertisedefaultroute=enabled
        there IDX is IDX for IPHTTPS interface
        solved the problem.
        Commando should be issued on DA server.

  4. Ivan
    February 6, 2014 at 19:36 #

    howcome there’s no RPC in my outlook? where can i find it?

  5. wagereka
    March 8, 2014 at 12:16 #

    I have tried even adding RPC but all vain. Anybody with any solution please?

    • March 8, 2014 at 12:27 #

      Hello,

      Are you able to ping the CAS server(s) from your DirectAccess client?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: